News, events, publications

EDA-DPR-074 - Contractor Support for Operations Platform

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-074 - Contractor Support for Operations Platform
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing
The purpose of the CSO Platform is to facilitate access of relevant Contracting Authorities (MSO users) to Economic Operators (PSC users) who can provide goods and services in support of operations of EU missions, MoD's and other agencies.
8. Description of categories of persons whose data EDA processes and list of data categories
  • Staff of Economic Operators, who have an interest in Business Opportunities (PSC users).
  • Personnel from Contracting Authorities, who choose to use CSO platform (MSO users).

The following data will be processed:

  • Of MSO (Member States and EU CSDP missions and operations) users: > First name > Surname > Contact email > Organisation
  • Of PSC (Private Sector Companies) users: > Contact name > Contact surname > Contact phone > Contact email > Contact website > References (clients' name)
9. Time limit for keeping the data
The personal data is processed as long as the account is active and then deleted within 1 year after closing the account.
10. Recipients of the data
  • EDA Staff;
  • Accredited users with access to the same platform may see the contact details of other users (i.e. MSO and PSC users).
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
As the platform is open to registration to users based in 3rd countries, the aforementioned data of PSC and MSO users can be seen by PSC and MSO users based in 3rd countries.
12. General description of security measures, where possible.
EDA has implemented appropriate technical and organisational measures (firewall, checkpoints, antivirus) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.